RV042 Preshared key hidden
Hi everyone,
I'd like to know if its possible to hide the Preshared key in the router configuration.
By default, you can see it in clear text if you've access on the RV042.
Thanks for your feedback.
Regards,
hdam
Hello hdam,
As far as I know, when you're administering and accessing the router configuration and you're setting up VPN, there is no method (or a checkbox) to hide the preshared key away from plaintext.
If security is a concern, perhaps limit the available management access to the vpn router, so not too many users will know the preshared key.
-Andrew Lien
Similar Messages
-
SSID with preshared key + ISE
Hi,
We have recently implemented Wifi at out site. we have Cisco 3502 AP's, 2504-WLC and the latest cisco ISE. I understand that in ISE deployment, we cant have a preshared key (password or key) for the SSID as ISE will take over the authentication. is that right?
Current scenario:
1. Laptop with wifi enabled will select the SSID in the list. since we have disabled the broadcast, it will be shown as other network in the list.
2. User will the other network and manually enter the SSID string.
3. Once the SSID matches with the WLC, he/she will be redirected to ISE url where the he/she needs to enter the domain credentials
4. After the credentials are validated, ISE (NAC) agent will be downloaded on the laptop.
5. Posture will begin and check for the compliance.
6. If the laptop is compliant, laptop will be allowed in the network else will be rejected.
Here, i would like to have preshared authetiation for SSID in the first phase as my infosec team is very particular about that. How can i achieve that?Creating Native Supplicant Profiles
Before You Begin
•If you intend to use a TLS device protocol for remote device registration, be sure you set up at least one Simple Certificate Enrollment Protocol (SCEP) profile, as described in Simple Certificate Enrollment Protocol Profiles, page 8-31.
•Be sure to open up TCP port 8909 and UDP port 8909 to enable Cisco NAC Agent, Cisco NAC Web Agent, and supplicant provisioning wizard installation. For more information on port usage, see the “Cisco ISE Appliance Ports Reference” appendix in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.
Step 1Choose Policy > Policy Elements > Results > Client Provisioning > Resources.
Step 2Choose Add > Native Supplicant Profile.
Step 3Specify a Name for the agent profile.
Step 4Enter an optional Description for the Native Supplicant Profile.
Step 5Select an Operating System for this profile.
Step 6Enable the appropriate options for Wired or Wireless Connection Type (or both) for this profile. If you enable the Wireless connection option, be sure to also specify the device SSID and the wireless Security type (either WPA2 Enterprise or WPA Enterprise).
Step 7Choose the Allowed Protocol for the device profile.
Step 8Enable or disable other
Optional Settings as appropriate for this profile.
You can create native supplicant profiles to enable users to bring their own devices into the Cisco ISE network. When the user logs in, based on the profile that you associate with that user’s authorization requirements, Cisco ISE provides the necessary supplicant provisioning wizard needed to set up the user’s personal device to access the network. -
Lms3.2 passwords & preshared key
hello,
i have added some ASA to my ciscoworks server.
when i look at the config i see that preshared keys are removed and replaced by a star *
i see something like
tunnel-group cisco ipsec-attributes
pre-shared-key *
then i searched some directories for the the plain text config files and it does not contain the preshared keys....
if i try to recover from a disaster with those "backup files" it's gonna be useless
is there any tricks to include preshared keys and passwords to my config files
thanksThe devices themselves are putting these stars in the config (starting in 8.2). The way RME archives the config is to do a "show runn" and extract the config from the output. RME does not yet support the ability to do a copy runn tftp, which would allow the clear text passwords to be archived. However, this undos the security one would get by performing the screen scraping over SSH. Therefore, LMS only uses the "show runn" command to get the config.
-
DMVPN/preshared key configured and device stolen
Hello,
I have a question on DMVPN solutions where device is already configured with a preshared key and expected to be a part of a network once the device is fired up.
Now what if this device (e.g. router) is stolen and plugged to the Internet? I believe it will establish a connection with a hub router because preshared keys, DMVPN config are matching and is there a solution to prevent this?
I know it is a physical security question however I need to consider this rare scenario.
Thanks,
Deepak AmbotkarThe solution for that problem is to use digital certificates which is a best-practice for DMVPN. For that you can also use an IOS-router as a CA-server.
If you decide against certificates, the you can at least use PSK-encryption. That doesn't help against stolen devices, but helps against rouge spokes when someone can get the client-config.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Is it possible to use the anyconnect client and still use preshared keys? I'm trying to remediate a PCI issue that requires removing IKEv1, and preshared key, and disabling aggressive mode.
Will any of this break Anyconnect? Your assistance in appreciated!Hi,
It is completely possible, You can disable the aggressive mode from the ASA and it will not affect the AnyConnect beacuse it uses (TLS and DTLS protocols)which is completely different from the IPSec.
Now you can disable the aggressive mode as follow:
hostname(config)# crypto ikev1 am-disable
If you have VPN clients IPSec, they will work with main mode if you use certificate authentication only, not using pre-shared keys.
Please don't forget to rate and Mark as correct the helpful Post!
David Castro,
Regards, -
Question on IKE preshared key for sun systems.
Hi All
I'm testing IPsec between a Sun system and a device(and Windows XP). The main mode negotiation failed in the third exchange when encryption is on. Responder side complains about the payload sent from the other side is malformed. I suspect the problem is related to the preshared key configuration. Sun system require a hexdecimal on preshared key and the resulting key length should be at least of what encryption algorithm require(from IP service manual:
The encryption algorithm in this example (see Step 2) is DES, so the pre-shared key must be at least 64 bits. However, a longer key length is a good idea. For example,
# ike.preshared on enigma, 192.168.66.1
{ localidtype IP
localid 192.168.66.1
remoteidtype IP
remoteid 192.168.55.2
# enigma and partym's shared key in hex (128 bits)
key ac077cc699c17055848a3cf34377980a
My question is that how should I configure the preshared key to match the one in Sun? like in windows system? I tried to use the exact same key on windows, but the authentication failed. If the problem is not from preshared key, any comments are welcome.
Thanks a lot!To restore key from encoded data you have to use one of the KeySpec lasses in your case DESKeySpec. Then you can use KeyFactory (SecretKeyFactory in this case) class to regenerate key.
SecretKeyFactory factory = SecretKeyFactory.getInstance("DES", "SunJCE");
myDESkey = factory.generateSecret(keySpec); -
Entered Wrong preshared key on WLAN
Hi
I entered the wrong preshared key on the WLAN and I can't change it. Tried to using the connection Manager but still says incorrect
Can anyone help please?
ThanksMenu - Tools - Settings - Connections - Access Points - Select the WLAN in question - Options - Edit - WLAN Security Settings
Hope that helps
Nokia History: 3110, 5110, 7110, 7110, 3510i, 6210, 6310i, 5210, 6100, 6610, 7250, 7250i, 6650, 6230, 6230i, 6260, N70, N70, 5300, N95, N95, E71, E72
Android History: HTC Desire, SE Xperia Arc, HTC Sensation, Sensation XE, One X+, Google Nexus 5 -
PA30 - field "Bank Control Key" hidden for Brazil company code
Dear friends,
We are facing problem when we use PA30 to create a Personnel nr. for contry Brazil. We need to have the field Bank Control Key visible in the screen but only for other countries this is opened.
Does anyone knows the way to setup PA30 to have the field Bank Control Key opened in the infotype Bank Data where we can enter a specific content to Brazil ?
BR,
AlessandroHi,
In this table T588M you can make change to the fields in your infotype.
Hope it helps.
Regards,
Edoardo -
Wifi Profiles with PreShared Key
Hey everyone,
I have a client with some pretty basic requirements that would like to see from SCCM/Intune. One of those is the ability to deploy WPA2-PSK Wireless profiles to newly enrolled Intune devices (iOS, Android, and WP8). They would like to deploy
the PSK as part of this process so they don't have to hand out the key to everyone. I see there isn't a way in the interface to configure a WPA profile with the PSK. Does anyone know if this possible any other way?
If not I guess unless your not broadcasting your SSID, what would be the advantage of deploying a WPA-PSK WiFi profile versus the user just selecting the SSID and clicking connect themselves from whatever device they are on? Maybe I am missing something?
Thanks!Hi,
No you are correct it is currently not possible.. The only benefit of deploying the WIFI profile is that the device will connect to it automatically but still you would have to enter the password.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
Where is my network key hidden?
I have a wireless network setup in my home. The router is a D-Link 802.11g router. I have WPA encryption enabled. The problem is that I have "misplaced" the manual in which I wrote down my network key. I am able to get on the network about 50% of the time on bootup. If I do not get on at the initial bootup, 2 or 3 reboots usually gets me on the network. Internet connect, diagnostics, etc DOES NOT show my network key anywhere in my keychain. I would like to display my key so that I can be sure that it is in the keychain and also so that I can put it in a secure file if I need it for any of the 6 other computers in the house. Where do I find the key in my MacBook Pro (it is obviously present somewhere as I eventually get on my network). Thanks.
I thought keychain was just about PWs that were necessarily contained in the PC but I try to ignore Keychain. I think keeping PWs in my head is the safest. Even I can't access them sometimes.
I did find however that a 62 character WPA passphrase was available to me in clear text. If your router/Access Point, has a button in the admin page to back up settings then do that. I then searched for that file and opened it using Textwrangler. You would probably find that the file created by the settings backup routine on the AP will not have a default app assigned to it. Dont ASSIGN Textwrangler. Open that app and then select the settings config bkp as the file to be opened by it.
Textwrangler has a good search facility so look under 'passphrase' or whatever your connection device uses as a generic term for the passphrase. It will then find your long lost buddy with a neat line number reference.
Textwrangler is free from Barebones it is a lot more than a word processor so be carefull what you do with the file in it. Do not edit it. Do not save it. That way the router/AP 'restore settings' routine can continue to use it. That is also why you should not set Textwrangler as its default app.
Of course your router/AP may write it's bkp file in some strange format that only it can read. I doubt it. -
N 97 mini invalid preshared WPA key
Hi guys, I also suffer form this bug of invalid preshared WPA key. The WLAN worked before, but stopped working one fine day. Have tried most of the things in these forum which I could understand. Also did a hard reset with thanks to U tube, but still with that invalid preshared key situation. Laptop and another device works well on the same WLAN. Is the WPA preshared key same as the password for the WLAN connection. If so have performed this step a dozen times. No luck. have been using a D link ADSL 502T and a D link wireless router. Need assistance please. Not much of a tech guy so be patient and verbose.
Ultramark wrote:
Thanks android for the reply. Tried both. When I had first entered it last year it was ascii. But I did have both the keys and neither worked.
Is it possible to reconfigure my wireless router after a hard reset and get things right??
Ultramark
Make sure you don't use special characters in your WPA psk. Turn off WPA2 only mode on your E97m.
‡Thank you for hitting the Blue/Green Star button‡
N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009 -
VPN between RV042 and Cisco 2801
HI
Kindly help me out. I'm configuring a p2p vpn between a cisco 2801 with IOS 12.3 and a linksys RV042. I'm getting following error on Linksys and Cisco respectively.
[Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Dec 19 02:40:42 2011
VPN Log
Received informational payload, type NO_PROPOSAL_CHOSEN
dst src state conn-id slot status
x.x.x.x x.x.x.x MM_NO_STATE 0 0 ACTIVE
Below are my config:
Linksys RV042:
Keying Mode: IKE with Preshared Key
Phase1 DH Group: Group2
Phase1 Encryption: 3DES
Phase1 Authentication: MD5
Phase1 SA Life Time: 28800
Perfect forward secrecy : enabled
Phase2 DH Group: Group2
Phase2 Encryption: 3DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 28800
Preshared Key: xxxxxx
Cisco 2801:
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxx address xxxxxx
no crypto isakmp ccm
crypto ipsec transform-set STRONGER esp-3des esp-md5-hmac
crypto map myvpn 10 ipsec-isakmp
set peer xxxxxx
set transform-set STRONGER
set pfs group2
match address 103
interface FastEthernet0/0
ip address 10.0.0.56 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
ip address xxxx xxxx
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
crypto map myvpn
ip nat pool branch xxxxxx xxxxx netmask 255.255.255.240
ip nat inside source route-map nonat pool branch overload
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
snmp-server community public RO
route-map nonat permit 10
match ip address 110
Rgards
SAMHi,
It looks like you are using the default hash for the crypto isakmp policy and that your connection is failing on the phase 1 negotiation. The default hash on the crypto isakmp policy is sha. On the 2801 try adding hash md5.
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
Let me know if that helps.
Thank you,
Jason NIckle -
Can you hide the crypto pre-shared key?
Is there a way to hide the crypto pre-shared key in IOS? Following is an example of a config command where the key is not hidden:
crypto isakmp key cisco123 address 10.0.110.1
Thanks!all about encrypting preshared keys in IOS:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad9.html -
Can't get networkmanager working with openvpn (using static key)
I'm trying to configure networkmanager to open up my VPN connection - using the static/preshared key method - but no dice. (Although I'm able to connect just fine using openvpn from the command line) Anyone been able to get this to work and/or have some suggestions?
I've installed the packages networkmanager, networkmanager-openvpn, and nm-applet. I run nm-applet, and configure the connection, but when I try to launch the connection, it fails. Log file reads as follows:
Oct 28 16:43:56 daroselin NetworkManager: <info> Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...
Oct 28 16:43:56 daroselin NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 19131
Oct 28 16:43:56 daroselin NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
Oct 28 16:43:56 daroselin NetworkManager: <info> VPN plugin state changed: 1
Oct 28 16:43:56 daroselin NetworkManager: <info> VPN plugin state changed: 3
Oct 28 16:43:56 daroselin nm-openvpn[19133]: OpenVPN 2.1_rc20 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Oct 18 2009
Oct 28 16:43:56 daroselin nm-openvpn[19133]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 28 16:43:56 daroselin nm-openvpn[19133]: LZO compression initialized
Oct 28 16:43:56 daroselin kernel: tun0: Disabled Privacy Extensions
Oct 28 16:43:56 daroselin nm-openvpn[19133]: TUN/TAP device tun0 opened
Oct 28 16:43:56 daroselin nm-openvpn[19133]: /sbin/ifconfig tun0 10.1.0.2 pointopoint 10.1.0.1 mtu 1500
Oct 28 16:43:56 daroselin NetworkManager: <info> VPN connection 'DARSYS VPN' (Connect) reply received.
Oct 28 16:43:56 daroselin NetworkManager: <info> VPN plugin failed: 2
Oct 28 16:43:56 daroselin nm-openvpn[19133]: /usr/libexec/nm-openvpn-service-openvpn-helper tun0 1500 1545 10.1.0.2 10.1.0.1 init
Oct 28 16:43:56 daroselin nm-openvpn[19133]: Exiting
Oct 28 16:43:56 daroselin NetworkManager: <info> VPN plugin failed: 1
Oct 28 16:43:56 daroselin NetworkManager: <info> VPN plugin state changed: 6
Oct 28 16:43:56 daroselin NetworkManager: <info> VPN plugin state change reason: 0
Oct 28 16:43:56 daroselin NetworkManager: <WARN> connection_state_changed(): Could not process the request because no VPN connection was active.
Oct 28 16:43:56 daroselin NetworkManager: <info> Policy set 'Auto eth0' (eth0) as default for routing and DNS.
Suspiciously, it never seems to try to open a connection to the gateway. (Note that the gateway's IP address never appears in the log entries.)
I've configured the connection in nm-applet as follows:
Gateway: <internet IP address of the gateway/server I'm trying to VPN into>
Type: Static Key
Static Key: <the static key file>
Key direction: none
Remote IP address: 10.1.0.1
Local IP address: 10.1.0.2
When I launch openvpn from the command line, the conf file reads as follows:
[darose@daroselin ca]$ cat /etc/openvpn/static-client.conf
# Sample OpenVPN configuration file for
# office using a pre-shared static key.
# '#' or ';' may be used to delimit comments.
# Use a dynamic tun device.
# For Linux 2.2 or non-Linux OSes,
# you may want to use an explicit
# unit number such as "tun1".
# OpenVPN also supports virtual
# ethernet "tap" devices.
dev tun
remote <internet IP address of the gateway/server I'm trying to VPN into>
# 10.1.0.1 is our local VPN endpoint (office).
# 10.1.0.2 is our remote VPN endpoint (home).
ifconfig 10.1.0.2 10.1.0.1
# Our up script will establish routes
# once the VPN is alive.
; up ./office.up
#up ./client.up
route 10.0.0.0 255.255.255.0 10.1.0.1
# Our pre-shared static key
secret static.key
# OpenVPN 2.0 uses UDP port 1194 by default
# (official port assignment by iana.org 11/04).
# OpenVPN 1.x uses UDP port 5000 by default.
# Each OpenVPN tunnel must use
# a different port number.
# lport or rport can be used
# to denote different ports
# for local and remote.
; port 1194
# Downgrade UID and GID to
# "nobody" after initialization
# for extra security.
#user nobody
#group nobody
# If you built OpenVPN with
# LZO compression, uncomment
# out the following line.
comp-lzo
# Send a UDP ping to remote once
# every 15 seconds to keep
# stateful firewall connection
# alive. Uncomment this
# out if you are using a stateful
# firewall.
; ping 15
# Uncomment this section for a more reliable detection when a system
# loses its connection. For example, dial-ups or laptops that
# travel to other locations.
; ping 15
ping 10
; ping-restart 45
ping-restart 120
;keepalive 10 60
ping-timer-rem
persist-tun
persist-key
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3
#verb 9
Anyone have any idea what the problem might be here?If anyone's curious, I opened an upstream bug about this:
https://bugzilla.gnome.org/show_bug.cgi?id=606998 -
"Length is too big" IOException when using OpenSSL key/certs
Using WLS 5.1, SP6, Solaris
Hello one and all:
I am trying to test WLS with SSL. I am using the OpenSSL package to act as my
own CA and generate and sign my own server certs. I don't have any problem
with this part.
However, when I try to use my private key with WLS, I get this
error upon startup:
Java.io.IOException: Length is too big: takes 56 bytes
at weblogic.security.ASN1.ASN1Header.inputLength(ASN1Header.java:133)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:105)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:107)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:85)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:285)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:214)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1180)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.NmsIpServer.main(NmsIpServer.java:13)
Thu Mar 22 16:02:25 EET 2001:<E> <SSLListenThread> Security
Configuration Problem with SSL server encryption Key
(<path-to-key hidden for publication --scott>),
java.io.IOException: Length is too big: takes 56 bytesI have read many messages on this group that indicate this same
problem. Some of the suggestions included checking the formatting
of the server key file for extra linefeeds, etc. I have done this.
I even tried the OpenSSL "asn1-kludge" option. It didn't work
either.
So, I hope to hear from someone who has successfully used OpenSSL
keys and certs with WLS.
Thanks,
--scottHi.
I had the same problem when i specified a cakey.pem file that was encrypted. For
some reason, WLS doesnt seem to support a scheme where it prompts for a password
to use for decryption of the private key. Try to decrypt the private key:
openssl rsa -in cakey.pem -out ca_unsafe.pem and deploy this certificate instead,
then it will work ;-)
[email protected] (Scott Andrew Borton) wrote:
Using WLS 5.1, SP6, Solaris
Hello one and all:
I am trying to test WLS with SSL. I am using the OpenSSL package to act
as my
own CA and generate and sign my own server certs. I don't have any problem
with this part.
However, when I try to use my private key with WLS, I get this
error upon startup:
Java.io.IOException: Length is too big: takes 56 bytes
at weblogic.security.ASN1.ASN1Header.inputLength(ASN1Header.java:133)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:105)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:107)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:85)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:285)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:214)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1180)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.NmsIpServer.main(NmsIpServer.java:13)
Thu Mar 22 16:02:25 EET 2001:<E> <SSLListenThread> Security
Configuration Problem with SSL server encryption Key
(<path-to-key hidden for publication --scott>),
java.io.IOException: Length is too big: takes 56 bytesI have read many messages on this group that indicate this same
problem. Some of the suggestions included checking the formatting
of the server key file for extra linefeeds, etc. I have done this.
I even tried the OpenSSL "asn1-kludge" option. It didn't work
either.
So, I hope to hear from someone who has successfully used OpenSSL
keys and certs with WLS.
Thanks,
--scott
Maybe you are looking for
-
TF400463 :Can not able to create team project in tfs 2013
HI When am trying to create new project in TFS Collection I cant able to create a project. Since am getting the below error "TF400463 Project Creation failed with error: Object reference not set to an instance of an object"
-
...how do you change a file's tempo?
...i'm playing a file in the file editor and it has a slower tempo than than the same file in the browser. the file browser plays at 120 bpm but I would like my file (an acoustic guitar loop) to play around 90 bpm. Other than CLIP>SPEED>NORMAL,HALF,
-
Google Spreadsheet Data Connection
Hi all, I have been playing with the Add-On Google Spreadsheet Data Connection and I am not able to publish my Xcelsius design model. I get the same error that Natasha mentions in her blog (http://www.natashascorner.com/2009/04/24/connecting-xcelsius
-
Can we configure webserver to loaedbalance multiple weblogic clusters?
Can we configure webserver to loadbalance to multiple weblogic clusters? E.g. Web server X -> Cluster Y & Cluster Z In the plugin documentation it is not explicit that you can or can't do so.
-
eHelp! After restoring my computer from Carbonite, My e-mails are corrupted. Each one multiplies a bajillion times! I delete them from the folder, empty trash, them, then they come back. I have three mailbox accounts,each one does the same.